For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

alanjohnson7467's avatar
alanjohnson7467
Icon for Cirrus rankCirrus
Jul 10, 2019
Solved

Extract SAN from Client SSL Certificate & Insert into HTTP Header

Hi folks, I'm working with some co-workers to setup some Slack.com forwarding in our environment. Mutual TLS and the insertion of the SAN from the client certificate into a HTTP header is a requir...
application delivery
iRules
LTM
ltm policy
security
  • Eric_Chen's avatar
    Eric_Chen
    Aug 28, 2019

    When I apply that iRule my test cert works. Not sure why your environment is different. Here's an alternate iRule you could try.

    when HTTP_REQUEST {
  if {[SSL::cert 0] ne ""}{
    set tmpcn [X509::subject [SSL::cert 0]]
    set cn [findstr $tmpcn "CN=" 3]
    HTTP::header replace X-Client-Certificate-SAN $cn
    
  } else {
    HTTP::header remove X-Client-Certificate-SAN
  }
}

    My test results.

     curl -k --cert ./platform-tls-client.slack.com.crt --key ./platform-tls-client.slack.com.key https://192.168.1.200:8443/headers.json
{"User-Agent":"curl/7.29.0","Host":"192.168.1.200:8443","Accept":"*/*","X-Client-Certificate-SAN":"platform-tls-client.slack.com"}

    Here's what my config looks like.

    ltm virtual test_vs {
    creation-time 2019-08-27:10:03:53
    destination 192.168.1.200:pcsync-https
    ip-protocol tcp
    last-modified-time 2019-08-27:10:20:58
    mask 255.255.255.255
    pool slack_pool
    profiles {
        http { }
        mtls_clientssl {
            context clientside
        }
        tcp { }
    }
    rules {
        slack2
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
    vs-index 3
}
 
ltm profile client-ssl mtls_clientssl {
    app-service none
    authenticate-depth 0
    ca-file f5ca
    cert-key-chain {
        default {
            cert default.crt
            key default.key
        }
    }
    defaults-from clientssl
    inherit-ca-certkeychain true
    inherit-certkeychain true
    peer-cert-mode require
}
 
ltm rule slack2 {
when HTTP_REQUEST {
  if {[SSL::cert 0] ne ""}{
    # extract SAN
    set santemp [findstr [X509::extensions [SSL::cert 0]] "Subject Alternative Name" 32 ","]
    # remove DNS: prefix
    set san [findstr $santemp "DNS" 4]
    # insert X-Client-Certificate-SAN header
    HTTP::header replace X-Client-Certificate-SAN $san
 
  } else {
    HTTP::header remove X-Client-Certificate-SAN
  }
}
}
alanjohnson7467's avatar
alanjohnson7467
Icon for Cirrus rankCirrus
Aug 27, 2019

Hi Eric,

 

Our application owners have finally gotten around to testing this and we are running into a slight problem. The header is getting inserted, but is including this full value which seems to be breaking things:

 

platform-tls-client.slack.com X509v3 Key Usage: critical Digital Signature

 

...do have any suggestions on how to remove the extra info in the value?

 

 

Thanks!

alanjohnson7467's avatar
alanjohnson7467
Icon for Cirrus rankCirrus
Sep 17, 2019

Hi Eric,

 

Apologies for the delayed response. We used the alternate rule you provided and it is working perfectly. Thank you so much for all your help!